Kronos comes back from the dead

Read time 2min 40sec
A new variant of Kronos emerges.
A new variant of Kronos emerges.

A new version of the infamous Kronos banking Trojan has been discovered in the wild, and has exploit campaigns already active in Germany, Japan and Poland.

Securonix's "Threat Research: Kronos/Osiris Banking Trojan Attack" report said the malware was first discovered in June 2014 as a Banker Trojan available for purchase on a Russian underground forum for $7 000.

Aimed at stealing banking login credentials from browser sessions, Kronos targeted UK and Japanese businesses, before going after French and Canadian banks, among others. It then lay dormant for several years.

Harnessing Tor

The variant, dubbed Osiris, was discovered in July this year, and although markedly similar to the older version, its command and control mechanisms have been refactored to use the Tor network as a means to anonymise itself. Refactoring is the process of restructuring existing computer code, without changing its external behaviour.

Osiris is being sold on the dark market, and contains other new features, including key-logging and remote control via VNC, along with older features like form-grabbing and Web-injection.

Securonix researchers Oleg Kolesnikov and Harshvardhan Parashar said the primary infiltration vector used by the malware is phishing e-mail campaigns containing carefully crafted Microsoft Word documents or RTF attachments containing code that causes malicious, obfuscated Visual Basic stagers to be dropped and executed.

In other cases, the malware is distributed via exploit kits such as RIG EK. "The malicious document exploits a well-known buffer overflow vulnerability in Microsoft Office Equation Editor Component, CVE-2017-11882, which allows the attacker to perform arbitrary code execution," the researchers said.

Osiris also employs anti-VM or anti-sandbox mechanisms to evade detection or analysis in a virtual environment. The researchers have also seen the malware modify the Internet zones settings using registry, and lower the security settings of Firefox to avoid being blocked while using man-in-browser attack to Web inject into banking Web sites.

One step ahead

"Cyber criminals are always looking to stay one step ahead of security solutions," says Jayson O'Reilly, MD of @Vance Cyber Security. "They reinvent their tools through new modifications to make them more sophisticated, and more likely to slip through the security net.

"Don't rely on technology alone. A vast number of security breaches start with a phishing e-mail. Remember, there is no firewall in existence that can stop an employee from clicking on a malicious attachment or link, or losing his or her cellphone."

The answer, according to O'Reilly, is to adopt a human-centric approach and incorporates education, involvement and awareness from the top of the organisation to the bottom. "People are key to any security posture. Organisations cannot rely on tools and solutions alone."

Login with